# ISO 27001 Critical Supplier Register > Operational register of critical suppliers with data access, SLA thresholds, BCP dependencies, security assessment history, and internal ownership. The auditor-expected evidence document that proves supply chain operational knowledge per Clause 7.5.1(b) and Controls A.5.19–A.5.22. Tags: ISO 27001, ISMS, Compliance, Supplier Management, A.5.19, A.5.21, A.5.22, Supply Chain ## Example Prompts - Build our critical supplier register for ISO 27001 Stage 2 audit preparation - Document our 20 critical suppliers with data access, SLAs, and BCP dependencies - Check which critical suppliers are overdue for security assessment - Cross-reference our supplier register with the BCP and risk register - Update the supplier register after onboarding a new cloud provider URL: https://rakenne.app/skills/iso27001-critical-supplier-register/index.md Try this skill: https://rakenne.app/a/?skill=iso27001-critical-supplier-register ## Overview Build the operational critical supplier register that auditors expect during Stage 2 and surveillance audits. While the Supplier Security Policy defines *what requirements exist*, this register proves the organization *operationally knows and manages its supply chain* — which suppliers access what data, their SLA thresholds, BCP dependencies, assessment history, and who inside the organization owns each relationship. ISO 27001 does not explicitly name a "critical supplier register," but Clause 7.5.1(b) requires documenting information the organization determines necessary for ISMS effectiveness. In the first 10 minutes of a Stage 2 audit, an external auditor will ask about critical suppliers. If no one can identify them, their access, and what happens if they fail, the ISMS is ineffective — regardless of how good the policy documentation is. For a step-by-step walkthrough of how this skill fits into the full ISMS flow, see the [**ISO 27001 ISMS workspace tutorial**](/learn/tutorials/iso27001-isms-workspace-guide/). ### What It Covers - **Three-tier supplier classification** — Critical (Tier 1: data processors, cloud infrastructure, core SaaS), Important (Tier 2: supporting services with some data access), and Standard (Tier 3: minimal risk, physical-only services) - **Full Tier 1 records** — Data/systems accessed, contractual obligations, internal owner, RTO dependency, BCP scenario, assessment history, risk register cross-reference, exit plan - **Dependency mapping** — Which suppliers feed which business functions, cascade failure paths, and single points of failure - **Cross-document validation** — Automated checks against the BCP and risk register to catch gaps before auditors do ### Outputs - **Critical Supplier Register** — Tiered register with all required fields per supplier - **Supplier Dependency Map** — Visual dependency matrix linking suppliers to business functions with cascade failure paths ## Example Conversation > **You:** We need to build the critical supplier register for our ISO 27001 Stage 2 audit preparation. We have about 15 suppliers across cloud, SaaS, and facilities. > **Agent:** I'll load your organization profile and supplier security policy to pull the supplier list, technology stack, and tiering criteria. Let me classify the 15 suppliers. > **Agent:** I've classified suppliers into three tiers: > > - **Tier 1 — Critical (4 suppliers):** AWS (IaaS, hosts all customer data), Okta (IAM), Snowflake (data warehouse with PII), Stripe (payment processing) > - **Tier 2 — Important (6 suppliers):** GitHub (source code), Google Workspace (internal comms), Datadog (monitoring), Zendesk (support), SendGrid (email), Cloudflare (CDN/WAF) > - **Tier 3 — Standard (5 suppliers):** WeWork (office space), ISS (janitorial), Staples (office supplies), FedEx (shipping), Aramark (catering) > > I'll now draft full records for the 4 Tier 1 suppliers. I need a few details: who is the internal owner for each, and do you have dates for the last security assessments? > **You:** Sarah Chen (VP Engineering) owns AWS and Snowflake. James Park (IT Director) owns Okta. Lisa Torres (Finance Director) owns Stripe. We reviewed AWS and Okta certifications in January 2026, Snowflake in November 2025, and Stripe in March 2026. > **Agent:** All Tier 1 records are drafted with full details. Let me run the four validation tools. > > Running `supplier_completeness_validator`... > > **SUPPLIER COMPLETENESS VALIDATOR** — Result: **PASS** > - Total suppliers: 15 > - Tier 1: 4 suppliers, completeness score: 100% > - Tier 2: 6 suppliers, completeness score: 100% > - All suppliers have complete records for their tier requirements. > > Running `supplier_assessment_freshness_checker`... > > **SUPPLIER ASSESSMENT FRESHNESS CHECKER** — Result: **PASS** > - AWS: GREEN (89 days since assessment) > - Okta: GREEN (89 days since assessment) > - Snowflake: GREEN (150 days since assessment) > - Stripe: GREEN (5 days since assessment) > - Overdue: 0 | Approaching: 0 | Current: 4 > > Running `supplier_bcp_dependency_linker`... > > **SUPPLIER–BCP DEPENDENCY LINKER** — Result: **FAIL** > - Tier 1 suppliers in BCP: 2/4 (AWS, Okta) > - Tier 1 NOT in BCP: Snowflake, Stripe > - Tier 1 BCP coverage: 50% > - Add BCP scenarios for Snowflake and Stripe before the audit. > > Running `supplier_access_risk_mapper`... > > **SUPPLIER ACCESS–RISK REGISTER MAPPER** — Result: **PASS** > - Suppliers with Confidential/Restricted access: 4 > - Covered in risk register: 4/4 (100%) > **Agent:** Three of four validations pass. The BCP dependency linker flagged that Snowflake and Stripe are not referenced in any BCP scenario. I recommend adding BCP scenarios for both — Snowflake handles PII in the data warehouse, and Stripe processes payments. Shall I update the BCP to add those scenarios? > **You:** Yes, add the BCP scenarios for both. > **Agent:** I've added BCP scenarios for Snowflake (data warehouse outage — failover to read replicas, 4h RTO) and Stripe (payment processing disruption — queue transactions, 2h RTO). Re-running `supplier_bcp_dependency_linker`... > > **SUPPLIER–BCP DEPENDENCY LINKER** — Result: **PASS** > - Tier 1 BCP coverage: 100%. All Tier 1 suppliers are referenced in the BCP. > > All four validations now pass. The register and dependency map are ready for your review. ## Sample Output Excerpt A condensed excerpt from a generated Critical Supplier Register showing a Tier 1 supplier record and the tier classification table: --- # Critical Supplier Register > **Document owner:** Sarah Chen, VP Engineering > **Last reviewed:** 2026-03-31 > **Next review due:** 2027-03-31 > **Review frequency:** Annual (Tier 1), Biennial (Tier 2) ## 1. Purpose This register provides an operational record of all suppliers classified by criticality tier, documenting their data access, security obligations, assessment status, BCP dependencies, and internal ownership. It serves as evidence of ISMS effectiveness per ISO 27001:2022 Clause 7.5.1(b) and supports Controls A.5.19–A.5.22. ## 2. Tier Classification Criteria | Tier | Criteria | Assessment Frequency | Documentation Level | |------|----------|---------------------|-------------------| | Tier 1 — Critical | Data processors, cloud infrastructure, core business SaaS, access to Confidential/Restricted data | Annual | Full record | | Tier 2 — Important | Supporting services with some data access, Internal-classified data | Biennial | Standard record | | Tier 3 — Standard | Minimal risk, no data access, physical-only services | Risk-based | Basic record | ## 3. Tier 1 — Critical Suppliers ### Amazon Web Services (AWS) | Field | Details | |-------|---------| | **Services provided** | IaaS — EC2 compute, RDS databases, S3 storage, CloudFront CDN | | **Data/systems accessed** | All customer project data (Confidential), application databases (Confidential), backup storage (Restricted) | | **Contractual security obligations** | NDA-2024-AWS-017, Security Annex SA-AWS-2024, SLA: 99.99% uptime, 15-min incident response | | **Internal owner** | Sarah Chen, VP Engineering, s.chen@example.com | | **RTO dependency** | Full platform outage: all customer-facing services down. Business impact: immediate revenue loss, SLA breach within 1h. RTO: 4h (failover to secondary region) | | **BCP scenario reference** | BCP §4.2 — Cloud Infrastructure Failure | | **Last security assessment** | 2026-01-15, Method: SOC 2 Type II report review + ISO 27001 certificate verification | | **Next scheduled assessment** | 2027-01-15 | | **Key findings (last assessment)** | No critical findings. Advisory: enable GuardDuty in ap-southeast-1 region for consistent threat detection coverage. | | **Risk register reference** | R-002 (Cloud infrastructure misconfiguration), R-007 (Data residency non-compliance) | | **Contract renewal date** | 2027-06-01 | | **Exit/transition plan** | Multi-cloud readiness via containerized workloads; 90-day data export window contractually guaranteed | ## Extension Tools The skill includes four validation tools that enforce supply chain evidence completeness and cross-document traceability: **`supplier_completeness_validator`** checks that every supplier has all required fields for its tier. Tier 1 suppliers need the full 12-field record (services, data access, classification, contractual obligations, internal owner, RTO dependency, assessment dates, risk references, exit plan). Tier 2 suppliers need 5 fields. Reports a completeness score per tier and lists every missing field per supplier. Parameter: `path` (supplier register document). **`supplier_assessment_freshness_checker`** verifies that security assessments are current using traffic-light status: | Tier | RED (overdue) | AMBER (approaching) | GREEN (current) | |------|--------------|-------------------|----------------| | Tier 1 | > 365 days | > 270 days | < 270 days | | Tier 2 | > 730 days | > 540 days | < 540 days | Reports days since last assessment per supplier and flags any with missing dates. Parameter: `path` (supplier register document). **`supplier_bcp_dependency_linker`** cross-references the supplier register against the Business Continuity Plan. Flags Tier 1 suppliers not mentioned in any BCP scenario and BCP sections that reference suppliers not in the register. Reports Tier 1 BCP coverage as a percentage. Parameters: `register_path`, `bcp_path`. **`supplier_access_risk_mapper`** cross-references supplier data access levels against the risk register. Any supplier with access to Confidential or Restricted data must have a corresponding risk entry per Clause 8.2. Reports coverage percentage and lists uncovered suppliers. Parameters: `register_path`, `risk_register_path`. ## Getting Started Start by completing the **Organization Profile** (which captures your technology stack and supplier list) and the **Supplier Security Policy** (which defines tier classification criteria). Then activate this skill and tell the agent how many suppliers you have and their general categories. The agent will classify them by tier, draft full records for Tier 1 suppliers, and run all four validation tools to check completeness, assessment freshness, BCP coverage, and risk register alignment. Provide internal owner names and assessment dates when prompted — these are the fields auditors check first. --- Back to [Skill Library](https://rakenne.app/skills/index.md)